ce73ef803a9ca243df8a35e2bd21da6d060ff0c414f8be94d5d387c33051ca0e

Analysis

max time kernel
171s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2023, 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Current Statement for Global data.htm
Size

1KB
MD5

23bbb161fadd36943986acfb37b0aa67
SHA1

e97ee7bc4a56218d445a158a873ff7b34d6922fd
SHA256

ce73ef803a9ca243df8a35e2bd21da6d060ff0c414f8be94d5d387c33051ca0e
SHA512

95489da86dded4d11ae5a6d9f18176ee655ccef07691cb01e9e6cdc67e0ca0a0afe8166c89fe7c7cf269d390faebfbf67f24bb3dedf7ac250732d90846ce200a

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1624	chrome.exe
1624	chrome.exe
2976	chrome.exe
2976	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1624	chrome.exe
1624	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 2656	1624	chrome.exe	69
PID 1624 wrote to memory of 2656	1624	chrome.exe	69
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 4840	1624	chrome.exe	86
PID 1624 wrote to memory of 3296	1624	chrome.exe	87
PID 1624 wrote to memory of 3296	1624	chrome.exe	87
PID 1624 wrote to memory of 5012	1624	chrome.exe	88
PID 1624 wrote to memory of 5012	1624	chrome.exe	88
PID 1624 wrote to memory of 5012	1624	chrome.exe	88
PID 1624 wrote to memory of 5012	1624	chrome.exe	88
PID 1624 wrote to memory of 5012	1624	chrome.exe	88
PID 1624 wrote to memory of 5012	1624	chrome.exe	88
PID 1624 wrote to memory of 5012	1624	chrome.exe	88
PID 1624 wrote to memory of 5012	1624	chrome.exe	88
PID 1624 wrote to memory of 5012	1624	chrome.exe	88
PID 1624 wrote to memory of 5012	1624	chrome.exe	88
PID 1624 wrote to memory of 5012	1624	chrome.exe	88
PID 1624 wrote to memory of 5012	1624	chrome.exe	88
PID 1624 wrote to memory of 5012	1624	chrome.exe	88
PID 1624 wrote to memory of 5012	1624	chrome.exe	88
PID 1624 wrote to memory of 5012	1624	chrome.exe	88
PID 1624 wrote to memory of 5012	1624	chrome.exe	88
PID 1624 wrote to memory of 5012	1624	chrome.exe	88
PID 1624 wrote to memory of 5012	1624	chrome.exe	88
PID 1624 wrote to memory of 5012	1624	chrome.exe	88
PID 1624 wrote to memory of 5012	1624	chrome.exe	88
PID 1624 wrote to memory of 5012	1624	chrome.exe	88
PID 1624 wrote to memory of 5012	1624	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" "C:\Users\Admin\AppData\Local\Temp\Current Statement for Global data.htm"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff734e9758,0x7fff734e9768,0x7fff734e9778
  2⤵
  PID:2656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1892,i,10491026256698582985,12098429896770562353,131072 /prefetch:2
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1892,i,10491026256698582985,12098429896770562353,131072 /prefetch:8
  2⤵
  PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1892,i,10491026256698582985,12098429896770562353,131072 /prefetch:8
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3016 --field-trial-handle=1892,i,10491026256698582985,12098429896770562353,131072 /prefetch:1
  2⤵
  PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3000 --field-trial-handle=1892,i,10491026256698582985,12098429896770562353,131072 /prefetch:1
  2⤵
  PID:1288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 --field-trial-handle=1892,i,10491026256698582985,12098429896770562353,131072 /prefetch:8
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 --field-trial-handle=1892,i,10491026256698582985,12098429896770562353,131072 /prefetch:8
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3076 --field-trial-handle=1892,i,10491026256698582985,12098429896770562353,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2976

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8799f83fe408ef8a8fb136dcd68b061f

SHA1
28058ae8bf575c5966e32109f578d613360f96c5

SHA256
4b9f8fb07f01f9f916e7a110a49e3044a1cafb113ae301a018a871d149dd1f7f

SHA512
64a6c978b8a4f17117a0b878a147c75a847ca86a8a1a28c72c8c49603c83153cf24241ccdf4f4121a8ad367ba2f2ac9d0c039cca49a23f5768d706eaf40b4804

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8296f67fb05f4bc052fef02ef99bb2d3

SHA1
af78c0f526aedeb68a54e72a9795293f5e08a9c2

SHA256
3861ff26cc866d0ef0742f090e2ac6a295e0394e925d880556d83f59c5091d31

SHA512
210ac42b4470e708283073f406bf7d714b7c085cfcfd5b64d463e6fd70351dc2feb3f62d533ef46fabf9d714067d75c8cb7ad2fc9a64959da03ffe670e47da94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
975d7e7ee0b3a2fd053e4a053d6146d7

SHA1
2cb0b82971185e99b1c83fefee213d0c30abd863

SHA256
57aaa6dac7c5ab7cc2461e2804cbb58eb9c17b0bd16f0ca1620d834d38702451

SHA512
c35697ab68739181cc05758f3bc725bd33b313f962fd59f63c08cba51f91693489579b3d9f4a1eed45aef1d75b293a38f1ba39f3cf56ee8dc35649ec7f797a2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
171KB

MD5
f68c250abcce1cfe00eb469e593e7b5d

SHA1
d060f50701119609d9cf534bdf22f00727e3f74e

SHA256
86046da8880e1364231a2260ee0822a2c4e24e9158263fef49912d8a8b24bd7e

SHA512
f2a55b7fcd7f1c87da05846159f31c0affd5dbf0711bed4873dcc24f1e2eb6b2a8a0818f2e1273a2ecf39da175677fd80ec6905855cadea1ade71dcc329e05ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit